(a) Personal data processed by a controller under this subchapter may not be processed for any purpose other than a purpose listed in this subchapter unless otherwise allowed by this chapter. Personal data processed by a controller under this subchapter may be processed to the extent that the processing of the data is:
(1) reasonably necessary and proportionate to the purposes listed in this subchapter; and
(2) adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this subchapter.
(b) Personal data collected, used, or retained under § 541.202(a) must, where applicable, take into account the nature and purpose of such collection, use, or retention. The personal data described by this subsection is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

(c) A controller that processes personal data under an exemption in this subchapter bears the burden of demonstrating that the processing of the personal data qualifies for the exemption and complies with the requirements of Subsections (a) and (b).
(d) The processing of personal data by an entity for the purposes described by § 541.201 does not solely make the entity a controller with respect to the processing of the data.

Text of section effective on July 01, 2024